Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mpXUd364Rz

Overview

General Information

Sample Name:mpXUd364Rz (renamed file extension from none to dll)
Analysis ID:595330
MD5:76a03b741a85be73b47b1a72cea1becb
SHA1:f453704ee0177d5771766870bc871e7c048a6c61
SHA256:7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 864 cmdline: loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 3892 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5488 cmdline: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • MDMAppInstaller.exe (PID: 6560 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • MDMAppInstaller.exe (PID: 6568 cmdline: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • iexpress.exe (PID: 6676 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • wextract.exe (PID: 6804 cmdline: C:\Windows\system32\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • wextract.exe (PID: 6812 cmdline: C:\Users\user\AppData\Local\xwE\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • SystemPropertiesAdvanced.exe (PID: 7000 cmdline: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)
        • FileHistory.exe (PID: 7120 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 7132 cmdline: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • iexpress.exe (PID: 580 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 3396 cmdline: C:\Users\user\AppData\Local\KGg\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • sppsvc.exe (PID: 1236 cmdline: C:\Windows\system32\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • sppsvc.exe (PID: 4452 cmdline: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • InfDefaultInstall.exe (PID: 5136 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)
    • rundll32.exe (PID: 5420 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3676 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              31.2.FileHistory.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                25.2.wextract.exe.7ffff6cc0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  9.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    33.2.iexpress.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 8 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3892, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ProcessId: 5488
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: mpXUd364Rz.dllVirustotal: Detection: 64%Perma Link
                      Source: mpXUd364Rz.dllMetadefender: Detection: 62%Perma Link
                      Source: mpXUd364Rz.dllReversingLabs: Detection: 88%
                      Source: mpXUd364Rz.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: mpXUd364Rz.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,20_2_00007FF77C19E934
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,20_2_00007FF77C19E64C
                      Source: mpXUd364Rz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202ED10 FindFirstFileExW,1_2_00007FFFE202ED10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99ED10 FindFirstFileExW,20_2_00007FFFEF99ED10
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA,23_2_00007FF700CD5A08
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose,23_2_00007FF700CD2164
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA,23_2_00007FF700CD5518
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,25_2_00007FF78E551EC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1ED10 FindFirstFileExW,25_2_00007FFFF6D1ED10
                      Source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 8.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.FileHistory.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.wextract.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.iexpress.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.iexpress.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.MDMAppInstaller.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.sppsvc.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll64.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E55297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,25_2_00007FF78E55297C
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,25_2_00007FF78E551B10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201CA501_2_00007FFFE201CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200AA701_2_00007FFFE200AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201A2C01_2_00007FFFE201A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20050201_2_00007FFFE2005020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF78801_2_00007FFFE1FF7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20231501_2_00007FFFE2023150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20059F01_2_00007FFFE20059F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20376501_2_00007FFFE2037650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20197D01_2_00007FFFE20197D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203D5201_2_00007FFFE203D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202DDC01_2_00007FFFE202DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200B2501_2_00007FFFE200B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7A401_2_00007FFFE1FD7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B2601_2_00007FFFE203B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFDAA01_2_00007FFFE1FFDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20382A01_2_00007FFFE20382A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203AAA01_2_00007FFFE203AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF92C01_2_00007FFFE1FF92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202F2C01_2_00007FFFE202F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037AF01_2_00007FFFE2037AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF82E01_2_00007FFFE1FF82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200BAE01_2_00007FFFE200BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032AE01_2_00007FFFE2032AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20003001_2_00007FFFE2000300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFA3101_2_00007FFFE1FFA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDBB201_2_00007FFFE1FDBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001B301_2_00007FFFE2001B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2035B501_2_00007FFFE2035B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF33401_2_00007FFFE1FF3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE83401_2_00007FFFE1FE8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD53501_2_00007FFFE1FD5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20043601_2_00007FFFE2004360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20343901_2_00007FFFE2034390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2024BC01_2_00007FFFE2024BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE23F01_2_00007FFFE1FE23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20394101_2_00007FFFE2039410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4001_2_00007FFFE203E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE74101_2_00007FFFE1FE7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20000201_2_00007FFFE2000020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFC0301_2_00007FFFE1FFC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20258401_2_00007FFFE2025840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF50501_2_00007FFFE1FF5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201F8701_2_00007FFFE201F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200F8701_2_00007FFFE200F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FED8901_2_00007FFFE1FED890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE08B01_2_00007FFFE1FE08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD18D01_2_00007FFFE1FD18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDB1001_2_00007FFFE1FDB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE1101_2_00007FFFE1FEE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF39101_2_00007FFFE1FF3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20061301_2_00007FFFE2006130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20369501_2_00007FFFE2036950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF41401_2_00007FFFE1FF4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B9601_2_00007FFFE203B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20099901_2_00007FFFE2009990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD29801_2_00007FFFE1FD2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE9A01_2_00007FFFE1FFE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE9B01_2_00007FFFE1FEE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF11B01_2_00007FFFE1FF11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF69C01_2_00007FFFE1FF69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20021D01_2_00007FFFE20021D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20091F01_2_00007FFFE20091F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20089F01_2_00007FFFE20089F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF1F01_2_00007FFFE1FFF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDDE201_2_00007FFFE1FDDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD16201_2_00007FFFE1FD1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20206501_2_00007FFFE2020650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE86701_2_00007FFFE1FE8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7E801_2_00007FFFE1FD7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD6E901_2_00007FFFE1FD6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A6B01_2_00007FFFE203A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20006A01_2_00007FFFE20006A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF6B01_2_00007FFFE1FFF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037EC01_2_00007FFFE2037EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2030F301_2_00007FFFE2030F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF872B1_2_00007FFFE1FF872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF2F501_2_00007FFFE1FF2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20307701_2_00007FFFE2030770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20357601_2_00007FFFE2035760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE7701_2_00007FFFE1FEE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203C7801_2_00007FFFE203C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204EF801_2_00007FFFE204EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD67901_2_00007FFFE1FD6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204B7A01_2_00007FFFE204B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE7B01_2_00007FFFE1FFE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE8FC01_2_00007FFFE1FE8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEA7D01_2_00007FFFE1FEA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2044FF01_2_00007FFFE2044FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF6FE01_2_00007FFFE1FF6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF48001_2_00007FFFE1FF4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD10101_2_00007FFFE1FD1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE54201_2_00007FFFE1FE5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD5C201_2_00007FFFE1FD5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A4901_2_00007FFFE203A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4941_2_00007FFFE203E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E49D1_2_00007FFFE203E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFAC801_2_00007FFFE1FFAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E48B1_2_00007FFFE203E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4B61_2_00007FFFE203E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032CA01_2_00007FFFE2032CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4A61_2_00007FFFE203E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4AD1_2_00007FFFE203E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE3CD01_2_00007FFFE1FE3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2005CD01_2_00007FFFE2005CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2003CF01_2_00007FFFE2003CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2000D101_2_00007FFFE2000D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001D301_2_00007FFFE2001D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFD5501_2_00007FFFE1FFD550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3D501_2_00007FFFE1FF3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE9D701_2_00007FFFE1FE9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDC5A01_2_00007FFFE1FDC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20025C01_2_00007FFFE20025C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE95C01_2_00007FFFE1FE95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE65E01_2_00007FFFE1FE65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2002E101_2_00007FFFE2002E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF36101_2_00007FFFE1FF3610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E93420_2_00007FF77C19E934
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A19D420_2_00007FF77C1A19D4
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A49FF20_2_00007FF77C1A49FF
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19464820_2_00007FF77C194648
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19963020_2_00007FF77C199630
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C193FAC20_2_00007FF77C193FAC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C196BDC20_2_00007FF77C196BDC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9897D020_2_00007FFFEF9897D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A765020_2_00007FFFEF9A7650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99DDC020_2_00007FFFEF99DDC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AD52020_2_00007FFFEF9AD520
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975CD020_2_00007FFFEF975CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98A2C020_2_00007FFFEF98A2C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97BAE020_2_00007FFFEF97BAE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98CA5020_2_00007FFFEF98CA50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97AA7020_2_00007FFFEF97AA70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9759F020_2_00007FFFEF9759F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99315020_2_00007FFFEF993150
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97502020_2_00007FFFEF975020
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96788020_2_00007FFFEF967880
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF958FC020_2_00007FFFEF958FC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95A7D020_2_00007FFFEF95A7D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BB7A020_2_00007FFFEF9BB7A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96E7B020_2_00007FFFEF96E7B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96480020_2_00007FFFEF964800
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94101020_2_00007FFFEF941010
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF966FE020_2_00007FFFEF966FE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9B4FF020_2_00007FFFEF9B4FF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF962F5020_2_00007FFFEF962F50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96872B20_2_00007FFFEF96872B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A0F3020_2_00007FFFEF9A0F30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BEF8020_2_00007FFFEF9BEF80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AC78020_2_00007FFFEF9AC780
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94679020_2_00007FFFEF946790
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A576020_2_00007FFFEF9A5760
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E77020_2_00007FFFEF95E770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A077020_2_00007FFFEF9A0770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BBF6F20_2_00007FFFEF9BBF6F
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7EC020_2_00007FFFEF9A7EC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9706A020_2_00007FFFEF9706A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96F6B020_2_00007FFFEF96F6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AA6B020_2_00007FFFEF9AA6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99065020_2_00007FFFEF990650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94162020_2_00007FFFEF941620
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94DE2020_2_00007FFFEF94DE20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF947E8020_2_00007FFFEF947E80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF946E9020_2_00007FFFEF946E90
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95867020_2_00007FFFEF958670
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9595C020_2_00007FFFEF9595C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9725C020_2_00007FFFEF9725C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94C5A020_2_00007FFFEF94C5A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96361020_2_00007FFFEF963610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF972E1020_2_00007FFFEF972E10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9565E020_2_00007FFFEF9565E0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963D5020_2_00007FFFEF963D50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96D55020_2_00007FFFEF96D550
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF998D2020_2_00007FFFEF998D20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF971D3020_2_00007FFFEF971D30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC59020_2_00007FFFEF9BC590
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAp